Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-01-27 23:57:16 -05:00
Code Issues Packages Projects Releases Wiki Activity
DivestOS/Patches/LineageOS-14.1/android_system_bt/410679.patch
Tavi b22ab2f4a5
14.1: December 2024 ASB picks 
Signed-off-by: Tavi <tavi@divested.dev>
2024-12-09 21:28:36 -05:00

72 lines
2.9 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Thu, 27 Jul 2023 04:09:04 +0000
Subject: [PATCH] Fix an integer underflow in build_read_multi_rsp
This is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
to sc-dev
Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
---
stack/gatt/gatt_sr.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/stack/gatt/gatt_sr.c b/stack/gatt/gatt_sr.c
index c2ae49752..71ef7f427 100644
--- a/stack/gatt/gatt_sr.c
+++ b/stack/gatt/gatt_sr.c
@@ -183,9 +183,24 @@ static BOOLEAN process_read_multi_rsp (tGATT_SR_CMD *p_cmd, tGATT_STATUS status,
if (p_rsp != NULL)
{
- total_len = (p_buf->len + p_rsp->attr_value.len);
+ total_len = p_buf->len;
if (total_len > mtu)
+ {
+ GATT_TRACE_DEBUG ("Buffer space not enough for this data item, skipping");
+ break;
+ }
+
+ len = (p_rsp->attr_value.len < mtu - total_len) ?
+ p_rsp->attr_value.len : mtu - total_len;
+
+ if (len == 0)
+ {
+ GATT_TRACE_DEBUG ("Buffer space not enough for this data item, skipping");
+ break;
+ }
+
+ if (len < p_rsp->attr_value.len)
{
/* just send the partial response for the overflow case */
len = p_rsp->attr_value.len - (total_len - mtu);
@@ -199,19 +214,8 @@ static BOOLEAN process_read_multi_rsp (tGATT_SR_CMD *p_cmd, tGATT_STATUS status,
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii])
{
- // check for possible integer overflow
- if (p_buf->len + len <= UINT16_MAX)
- {
- memcpy(p, p_rsp->attr_value.value, len);
- if (!is_overflow)
- p += len;
- p_buf->len += len;
- }
- else
- {
- p_cmd->status = GATT_NOT_FOUND;
- break;
- }
+ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
+ p_buf->len += (uint16_t) len;
}
else
{
Reference in New Issue View Git Blame Copy Permalink